#!/bin/bash
set -eu

TESTDIR=$(readlink -f $(dirname $0))

case "$APT_TEST_METHOD" in
	https*)
		:
		;;
	*)
		echo 'SKIP (makes sense only for APT_TEST_METHOD being https*)' >&2
		exit 0
		;;
esac

. $TESTDIR/framework-without-repo
prereq $TESTDIR/test-apt-install-simple

# generate another key, and pin apt to it. Check cert pinning
msgmsg 'Pinning invalid cert in apt'
readonly ANOTHER_CRT=$TMPWORKINGDIRECTORY/cert.another.crt
openssl req -x509 \
	-newkey rsa:4096 \
	-keyout /dev/null \
	-out "$ANOTHER_CRT" \
	-nodes \
	-days 365 \
	-subj "/CN=$NGINX_HOST" \
    &>/dev/null

cat >| $TMPWORKINGDIRECTORY/rootdir/etc/apt/apt.conf.d/81https-pinning.conf << END
Acquire::https::PinnedCert	"$ANOTHER_CRT";
END

testfailure aptget update

testpkgnotinstalled 'conflicting-package-one'
testfailure aptget install conflicting-package-one
testpkgnotinstalled 'conflicting-package-one'
